IdentityServer4 refresh_token吊销
[英]IdentityServer4 refresh_token revocation
问题描述
I have SPA app that uses IdentityServer4 ROPC flow for auth with access and refresh tokens from this example https://github.com/robisim74/AngularSPAWebAPI . 
我有一个SPA应用程序,该应用程序使用IdentityServer4 ROPC流进行身份验证,并具有来自本示例https://github.com/robisim74/AngularSPAWebAPI的访问和刷新令牌。 Every 15 minutes I update refresh_token for a new pair of refresh and access tokens. 每隔15分钟,我会更新refresh_token以获取一对新的刷新和访问令牌。
However If I restart IdentityServer4 app old refresh_tokens issued before restart no longer valid. 但是,如果我重新启动IdentityServer4应用程序,则在重新启动之前发出的旧的refresh_tokens不再有效。 How to fix it? 如何解决? I suspect I should implement some interface to store issued refresh tokens? 我怀疑我应该实现一些接口来存储发出的刷新令牌吗?
1 个解决方案
解决方案1
2 已采纳 2017-06-05 09:28:00
You need to implement persisted grants by using the IPersistedGrantStore contract. 您需要使用IPersistedGrantStore合同来实施持久授权。 This stores things like refresh_tokens into a defined persistence. 这会将诸如refresh_tokens之类的内容存储到定义的持久性中。 By default IdentityServer 4 will use an InMemory persistence store, which is why you keep on losing your refresh_token references when you restart the application. 默认情况下,IdentityServer 4将使用InMemory持久性存储,这就是为什么在重新启动应用程序时会继续丢失refresh_token引用的原因。
It is pretty much mandatory to have a persistence layer for this in production if you are going to be using refresh_tokens. 如果要使用refresh_tokens,则在生产环境中为此保留一个持久层几乎是强制性的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.